views:

82

answers:

1

I am using ASP.NET MVC, on my login action I am doing:

[AcceptVerbs("POST")]
public ActionResult Login(FormCollection form)
{
    User validatedUser = // tests username/pwd here.

    FormsAuthentication.RedirectFromLoginPage(
        validatedUser.ID.ToString(), rememberMe);

    if(String.IsNullOrEmpty(Request["ReturnUrl"]))
        string redirectUrl = Request["ReturnUrl"];

    if (!String.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
        string redirectUrl = Request["ReturnUrl"];
}

My url looks like this when I am on the login page:

http://localhost:56112/user/login?ReturnUrl=/admin/settings

Does anything look wrong here?

My web.config:

<authentication mode="Forms">
    <forms loginUrl="/user/login"
        protection="All"
        timeout="30"
        name="SomeCookie"
        requireSSL="false"
        slidingExpiration="true"
        defaultUrl="default.aspx" />
+4  A: 

I would recommend you against using RedirectFromLoginPage method in an MVC application. It would be better to perform redirects using standard ASP.NET MVC techniques. You may use SetAuthCookie method:

public ActionResult Login(FormCollection form)
{
    // ...
    FormsAuthentication.SetAuthCookie(validatedUser.ID.ToString(), rememberMe);
    // ...
    return Redirect(FormsAuthentication.DefaultUrl); // will read default url from web.config
}
Darin Dimitrov
why do you suggest against it? (curiuos)
Blankman
Because the recommended way to perform a redirect in an ASP.NET MVC application is to return the proper ActionResult from the action. `RedirectFromLoginPage` is close to impossible to unit test.
Darin Dimitrov